acceptedMobile Device Integrity Scanning (MDIS) Server Security Technical Implementation Guide (STIG)This STIG provides technical security controls required for the use of a mobile MDIS server to audit the integrity of mobile devices in the DoD environment. The requirements listed in this benchmark apply to any DoD iOS implementation when iOS devices process sensitive DoD information, connect to a DoD network or network connected PC, or provide service to a DoD email system. The requirements can be implemented in an application server separate from the MDM server or included in the MDM server. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.DISA, Field Security OperationsSTIG.DOD.MILRelease: 2 Benchmark Date: 9 May 20131I - Mission Critial Classified<ProfileDescription></ProfileDescription>I - Mission Critial Public<ProfileDescription></ProfileDescription>I - Mission Critial Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>Required mobile device management server version used<GroupDescription></GroupDescription>WIR-WMS-GD-001The required mobile device management server version (or later) must be used. <VulnDiscussion>Earlier versions of the MDM server may have security vulnerabilities or not have required security features implemented. Therefore, sensitive DoD data could be exposed if required security features are not implemented on site-managed mobile devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Upgrade to required (or later) mobile device management server version.
On the mobile device management server, determine the version number of the server. The exact procedure will vary, depending on the mobile device management product used.
-Verify the server version is the latest available version and includes the latest patches available. Talk to the site system administrator and view the vendor's web site to determine the correct version number.
-Mark as a finding if the server version is not as required.Mobile device management server STIG compliant<GroupDescription></GroupDescription>WIR-WMS-GD-002The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.). <VulnDiscussion>The host server where the mobile management server is installed must be compliant with the Windows STIG and applicable application STIGs to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the management server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Conduct required STIG reviews of the OS and all installed applications on the host server.
Work with the OS Reviewer or check VMS for last review of each host server where a mobile management server is installed. This includes the host server for the MDM, MAM, MDIS, and MEM servers. The review should include the SQL server, Apache Tomcat, and IIS, if installed.
Mark as a finding if the previous or current OS review of the Windows server did not include the SQL or other applications included with the management server.Configure mobile device management server firewall<GroupDescription></GroupDescription>WIR-WMS-GD-004The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
<VulnDiscussion>A mobile device user could get access to unauthorized network resources (application and content servers, etc.) via the communications link between the mobile device and mobile management server if the server host firewall is not set up as required. HBSS is usually used to satisfy this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Install the management server host-based or appliance firewall and configure as required.
The host server host-based or appliance firewall must be configured as required.
The server firewall is configured with the following rules:
-Deny all except when explicitly authorized.
-Internal traffic from the server is limited to internal systems used to host the smartphone services (e.g., email and LDAP servers) and approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized.
-Internet traffic from the server is limited to only specified services (e.g., Good NOC server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the mobile management server and/or service.
-Firewall settings listed in the STIG Technology Overview or the vendor's installation manual will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trusted IP addresses and subnets.
Note: At a minimum, the IP address of the site Internet proxy server must be listed so the Good secure browser can connect to the Internet.
Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above.
Check Procedures:
-Verify the firewall configuration meets approved architecture configuration requirements (or have the Network Reviewer do the review of the firewall).
-Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers the server connects to should be included on this list.
- Mark as a finding if the IP addresses configured on the server host-based firewall are not on the list of trusted networks.Mobile management server PKI certificate<GroupDescription></GroupDescription>WIR-WMS-GD-010The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate.<VulnDiscussion>When a self-signed PKI certificate is used, a rogue mobile management server can impersonate the DoD mobile management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>IATS-1</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Use a DoD-issued digital certificate on the mobile management server.
Verify a DoD server certificate has been installed on the mobile management server and that the self-signed certificate, available as an option during the setup of the wireless email management server, has not been installed.
The check procedure will depend on the mobile management server product used.
Mark as a finding if a DoD server certificate has not been installed on the mobile device management server.
For the Good Technology server follow these procedures:
-Ask the SA to access the Good server using Internet Explorer. Verify no certificate error occurs.
-Click the Lock icon next to the address bar, then select “view certificates”.
On the General tab, verify the “Issued to:” and “Issued by:” fields do not show the same value. Then on the Certification Path tab, verify the top certificate is a trusted DoD Root certificate authority (e.g., DoD Root CA 2) and the certificate status field states “This certificate is OK”.
If a certificate error occurs, either the default self-signed certificate is still installed, the Good server has not been rebooted since the DoD-issued certificate has been installed, or the computer accessing the Good server does not have the DoD Root and Intermediate certificate authorities installed. The reviewer can select the “Continue to this website” option and follow the same procedure above. If the certificate is issued from an approved DoD PKI, ask the SA to run InstallRoot on the computer accessing the Good server. Otherwise, have the SA follow the procedures outlined in the STIG to request/install a certificate issued from a trusted DoD PKI.
Mobile management server authentication<GroupDescription></GroupDescription>WIR-WMS-GD-011Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements.
<VulnDiscussion>CTO 07-15 Rev 1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced. This is best enforced by requiring the server support AD authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>IAIA-1, IATS-1</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Configure required authentication on system administration accounts for mobile management servers.
Review the admin accounts settings on the mobile management server to verify CTO 07-15 Rev 1 required authentication is enabled for admin accounts. The check procedure will depend on the mobile management server product used.
Mark as a finding if site admin accounts do not meet the requirements.Maintain scan results<GroupDescription></GroupDescription>WIR-WMS-MDIS-01The results and mitigation actions from MDIS server on site managed mobile OS devices must be maintained by the site for at least 6 months (1 year recommended). <VulnDiscussion>Scan results must be maintained so auditors can verify mitigation actions have been completed, so a scan can be compared to a previous scan, and to determine if there are any security vulnerability trends for site-managed mobile OS devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECAT-1</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Mark as a finding if mitigation scan results and mitigation actions are not maintained for at least 6 months.Review records of scans results, mitigation actions, and date that scans took place. Verify scan results and mitigation actions are available for at least a 6 month period (1 year recommended).
Mark as a finding if mitigation scan results and mitigation actions are not maintained for at least 6 months.Implement mitigation actions<GroupDescription></GroupDescription>WIR-WMS-MDIS-02Mitigation actions must be implemented based on integrity validation scan findings. <VulnDiscussion>If mitigation actions are not implemented after a scan finding, DoD data and the enclave could be at risk of being compromised because the security baseline of the device has been compromised. The IAO should determine the appropriate mitigation action based on the scan finding report and any other analysis performed by site Information Assurance (IA) staff. It is expected that the system administrator or IAO will approve all mitigation actions before they are implemented, including those implemented by the server (for example, device wipe).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Implement required mitigation actions.
Review records of scan results indicating a finding, recommended mitigation actions from the scan report and on-site analysis, and mitigation actions implemented by the site that are listed in the site's report. Verify mitigation actions were implemented at the site.
Mark as a finding if mitigation actions have not been implemented after a scan indicates a finding.Scan alerts<GroupDescription></GroupDescription>WIR-WMS-MDIS-06The MDIS server must alert when it identifies malicious code on managed mobile devices. <VulnDiscussion>Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on the DoD network. Alerting is required to ensure proper management oversight is provided to timely mitigation actions to reduce the effect of the compromise.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECAT-1</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Use an MDIS product that alerts when it identifies malicious code on managed mobile devices and enable the feature. Verify the MDIS server alerts when it identifies malicious code on managed mobile devices. Talk to the site system administrator and have them show this capability exists in the MDIS server and is enabled. Also, review MDIS product documentation.
Mark as a finding if the MDIS server does not have required features.Real-time alert<GroupDescription></GroupDescription>WIR-WMS-MDIS-07The MDIS server must provide a near real-time alert when any compromise or potential compromise indicators occurs. <VulnDiscussion>Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on the DoD network. Timely alerting is required to ensure proper management oversight is provided to mitigation actions to reduce the effect of the compromise. Compromise indicators include the following:
-Unauthorized software on the device.
-Jailbroken or rooted device.
-Changes in file structure or files on the device.
-Unexpected changes in applications installed on the device.
-Integrity check failure of all operating system files, device drivers, and security enforcement mechanisms at device startup.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECAT-1</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Use an MDIS product that implements near real-time alerts when any compromise or potential compromise indicator occur and enable the feature. Verify the MDIS server implements detection and inspection mechanisms to provide near real-time alerts when any compromise or potential compromise indicator occurs. Talk to the site system administrator and have them show this capability exists in the MDIS server and is enabled. Also, review MDIS product documentation.
Mark as a finding if the MDIS server does not have required features.Scan notifications<GroupDescription></GroupDescription>WIR-WMS-MDIS-08The MDIS server must provide notifications regarding suspicious events to an organization defined list of response personnel, including the IAO and system administrator, who are identified by name and/or by role.<VulnDiscussion>Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on the DoD network. Timely alerting is required to ensure proper management oversight is provided to mitigation actions to reduce the effect of the compromise.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECAT-1, ECAT-2</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Use an MDIS product that provides alerts of suspicious events to an organization defined list of response personnel, including the IAO and system administrator, who are identified by name and/or by role.Verify the MDIS server provides alerts of suspicious events to an organization defined list of response personnel, including the IAO and system administrator, who are identified by name and/or by role. Talk to the site system administrator and have them show this capability exists in the MDIS server and is enabled. Also, review MDIS product documentation.
Mark as a finding if the MDIS server does not have required features
Verify device integrity<GroupDescription></GroupDescription>WIR-WMS-MDIS-11The MDIS server must verify the integrity of all operating system files, device drivers, and security enforcement mechanisms at startup and at least every six hours thereafter, using one or more DoD-approved cryptographic mechanisms that compare attributes of the operating system configuration to a known good baseline.<VulnDiscussion>Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on the DoD network. Analysis has determined scans must be performed at least every 6 hours.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance>iOS 6 scans all operating system files, device drivers, and security enforcement mechanisms at startup, so the first part of this requirement is met by default. iOS 6 does not repeat the system scan every 6 hours. If a third-party application is not used to scan all operating system files, device drivers, and security enforcement mechanisms every six hours there is a finding and the Severity should be downgraded to CAT II.</SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>DCSS-2</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Use an MDIS product that verifies the integrity of all operating system files, device drivers, and security enforcement mechanisms at startup and at least every six hours thereafter using one or more DoD approved cryptographic mechanisms that compare attributes of the operating system configuration to a known good baseline and enable the features. Verify the MDIS server checks the integrity of all operating system files, device drivers, and security enforcement mechanisms at startup and at least every six hours; thereafter using one or more DoD approved cryptographic mechanisms that compare attributes of the operating system configuration to a known good baseline.
Talk to the site system administrator and have them show this capability exists in the MDIS server and is enabled. Also, review MDIS product documentation.
Mark as a finding if the MDM server does not meet the requirement.
Note: iOS 6 scans all operating system files, device drivers, and security enforcement mechanisms at startup, so the first part of this requirement is met by default. iOS 6 does not repeat the system scan every 6 hours. If a third-party application is not used to scan all operating system files, device drivers, and security enforcement mechanisms every six hours there is a finding and the Severity should be downgraded to CAT II.
Disable scanning<GroupDescription></GroupDescription>WIR-WMS-MDIS-12The MDIS agent must not be capable of being disabled or controlled by the user or other mobile device application.
<VulnDiscussion>The integrity of the device security baseline would be compromised if the MDIS agent could be disabled by the user or an application.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECTP-1</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Use an MDIS product that is not capable of being disabled or controlled by the user or other mobile device application. Verify the MDIS agent is not capable of being disabled or controlled by the user or other mobile device application. Talk to the site system administrator and have them show this capability exists for the MDIS agent. Also, review MDIS product documentation.
Mark as a finding if the MDIS agent does not have required features.Scan finding risk<GroupDescription></GroupDescription>WIR-WMS-MDIS-14The MDIS server must base recommended mitigations for findings on the identified risk level of the finding. <VulnDiscussion>Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on the DoD network. Since the MDIS is an automated capability, the server must be able to determine the severity of the finding and provide a recommended mitigation to ensure timely action to mitigate the finding.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECAR-1</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Use an MDIS product that bases recommended mitigations for findings on the identified risk level of the finding. Verify the MDIS server bases recommended mitigations for findings on the identified risk level of the finding. Talk to the site system administrator and have them show this capability exists in the MDIS server. Also, review MDIS product documentation.
Mark as a finding if the MDIS server does not have required features.Scan independence<GroupDescription></GroupDescription>WIR-WMS-MDIS-15The MDIS agent must operate separate and independent of the management of the mobile devices security policy.
<VulnDiscussion>One of the key capabilities of the MDIS feature is the capability to determine if the device has been compromised. To ensure integrity of the feature, the MDIS must not be modified by any device management feature, and must be able to monitor the compliance of device management.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECTP-1</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Use an MDIS product that operates separate and independent of the management of the mobile device security policy. Verify the MDIS agent operates separate and independent of the management of the mobile device security policy. Talk to the site system administrator and have them show this capability exists in the MDIS server. Also, review MDIS product documentation.
Mark as a finding if the MDIS agent does not have required features.Scan content - files<GroupDescription></GroupDescription>WIR-WMS-MDIS-16The MDIS server must identify changes in file structure and files on the mobile device. <VulnDiscussion>Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on the DoD network. File structure changes are a key indicator of possible device compromise.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECAR-1</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Use an MDIS product that identifies changes in file structure and files on the mobile device.
Verify the MDIS server identifies changes in file structure and files on the mobile device. Talk to the site system administrator and have them show this capability exists in the MDIS server. Also, review MDIS product documentation.
Mark as a finding if the MDIS server does not have required features.Scan results - applications<GroupDescription></GroupDescription>WIR-WMS-MDIS-17The MDIS server must identify unexpected changes in applications installed on the mobile device. <VulnDiscussion>Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on the DoD network. Application changes are a key indicator of possible device compromise.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECAR-1</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Use an MDIS product that identifies unexpected changes in applications installed on the mobile device. Verify the MDIS server identifies unexpected changes in applications installed on the mobile device. Talk to the site system administrator and have them show this capability exists in the MDIS server. Also, review MDIS product documentation.
Mark as a finding if the MDIS server does not have required features.Scan archive by device<GroupDescription></GroupDescription>WIR-WMS-MDIS-18The MDIS server must have the capability to maintain change history of individual devices.<VulnDiscussion>Scan results must be maintained so auditors can verify mitigation actions have been completed, so a scan can be compared to a previous scan, and to determine if there are any security vulnerability trends for site managed mobile OS devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECAT-1</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Use an MDIS product that has the capability to maintain change history of individual devices.
Verify the MDIS server has the capability to maintain change history of individual devices. Talk to the site system administrator and have them show this capability exists in the MDIS server. Also, review MDIS product documentation.
Mark as a finding if the MDIS server does not have required features.
Master encryption key rotation<GroupDescription></GroupDescription>WIR-WMS-MDM-03The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less. <VulnDiscussion>There are two primary methods for generating the encryption key used to encrypt data between the management server and the server agent installed on the mobile device. The first method is to use a shared secret and the second is to generate the master encryption key based on PKI key generation. When a shared secret is used, if the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be compromised. Limiting the compromise to no more than a specific period of data is a security best practice.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>IAKM-1</IAControls>VMS Target Generic Mobile Device Integrity Scanning (MDIS)DISA FSOVMS TargetGeneric Mobile Device Integrity Scanning (MDIS)2339Use an AES master encryption key and set it to rotate at least every 30 days.This requirement applies to any mobile management server, including the MDM, MAM, MDIS, and MEM. If PKI-based encryption key generation is used between the management server and the agent on the mobile device, this check is not applicable.
Work with the server system administrator and determine how the encryption key is generated. If a shared secret is used between the management server and the agent on the mobile device, view the configuration of the master encryption key on the server. Verify AES is used for the master encryption key and it is set to rotate at least every 30 days.
Mark as a finding if the master encryption key is not rotated at least every 30 days or AES encryption is not used.